Security

(public)

User Story

If an app, or a version of an app has a security hole, we'll need to remove it from the APK Factory cache. Having a signed version of an app that has a known security issue in it would be a no-no.
In AMO we remove addons if old versions have been disabled. Likewise something should happen here. Perhaps when a version is deleted or disabled from the marketplace, we can send a API ping to the APK Factory and ask it to delete the affected builds.

Ozten rightly pointed out that we aren't really signing it with a Mozilla key, we are signing it on behalf of the developer. This is an important distinction from how signed packaged apps work. Still the idea of having an app that has a known security flaw on our cache somewhere, makes me feel nervous. So not sure.

Indeed, it wouldn't hurt to have a way to purge the cache, although we'll want to ensure that it isn't abused to mount a DOS attack on the factory. I can readily imagine how to do that for Marketplace, but I'm unsure how to do it for marketplaces generally.

When we discussed this we said we'd make the APK cache poll manifest URLs every once in a while and expunge the ones that are 404s. When the Marketplace finds a malicious hosted app it will delete it and the URL will be gone. In this approach we would not be policing hosted app URLs. Those wouldn't be installable anyway since the Marketplace won't list them.
Marking as a P4 because the install button won't be visible for deleted manifest URLs.

(In reply to Kumar McMillan [:kumar] (needinfo for quickness) from comment #3)
> Marking as a P4 because the install button won't be visible for deleted
> manifest URLs.
Discussed with kumar and if the Marketplace doesn't allow the install, that's fine by me.
We can't really stop people using the APK Factory to sign a malicious app, host it for them and stick a "install me" button on the developers website. We can only really police the Marketplace.